Organizations today face unprecedented challenges to increase productivity and performance. Having an effective internal audit system is an important tool that allows organizations to determine where key strengths and weaknesses exist within their processes. Once identified they can build on their strengths and allocate resources to improve the weaknesses.
However, many organizations have limited resources yet must still find ways to perform effective audits. Organizations with multiple management systems (e.g., quality and environmental) may discover that their internal audits are utilizing too many resources or they’re simply not providing the necessary value. In some cases the internal audit program may concentrate more on one standard than the other depending on the auditor’s background and experience. Organizations are facing considerable competition and price sensitivity in today’s economy. They must find smarter and more efficient ways to manage and glean the value from their audit processes.
THE UNFLOWABLE CHECKLIST
Many organizations still perform audits using a traditional checklist approach even though the checklists can be very cumbersome and may not flow the way the organization’s business processes are defined.
Auditors using standard checklists based on subclauses of a standard (e.g., ISO 9001) have a hard time maintaining focus. They have to continuously jump from one section of the standard to another. Or in many cases auditors have to go to the same area of the company several times to cover different requirements that relate to different processes. The checklist-based approach can be an inefficient use of the auditor’s time.
By contrast, a process-based approach to an audit is not only flexible, it allows companies to structure their audits to fit their specific business processes. Where organizations have worked to integrate their management systems to maximize efficiency, internal and external auditors should be utilizing integrated auditing techniques. This further streamlines the audit process, making the most effective use of the audit time and resources as well as helping to identify areas of strength and weakness across multiple management system standards.
This article will focus primarily on the basics of a process-based auditing approach. TÜV SÜD America is offering a follow-up webinar, ‘Integrated Auditing Using the Process Approach for Quality and Environmental Management Systems,’ which will expand upon the application of process auditing to integrated management system audits.
A PROCESS APPROACH TO AUDITING
As per the ISO 9001 guidance document for the use of the process approach, a process is “set of interrelated or interacting activities, which transforms inputs into outputs.” These activities require allocation of resources such as people and materials. According to ISO 9001:2008:
“The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management to produce the desired outcome, can be referred to as the ‘process approach.’”
In practical terms, a process-based audit would take a specific process and start the audit by understanding process objectives and performance measurements together with the interaction of other processes. The objectives and performance information would be used to target specific areas of the process that pose the highest risk to the organization or its customers and stakeholders. The audit would not only look at the actual process steps, but also the resources (i.e., materials, equipment, personnel) as well as the established methods for running the process. This provides in-depth coverage of the organization’s operations.
In contrast, the clause-based approach has a very narrow focus, as the auditor only looks at conformity to a stand-alone requirement of the standard, without checking interactions, risks, or links. The narrow focus normally results in auditors missing key weaknesses and risks within the operations being audited. In fact, this was one of the chief problems and complaints with early versions of ISO 9001.
When you use the process approach to auditing you are actually covering several of the ISO standard clauses or subclauses in a given process. To understand how much more comprehensive (and sensible) a process approach to auditing is, consider this example:
If an auditor was auditing, for instance, the procurement (purchasing) process using a clause-based approach, she would only focus on the requirements of subclauses 7.4.1 and 7.4.2. However, if using the process approach, she would cover many other subclauses, such as 4.1 (general requirements); 4.2.3 and 4.2.4 (document and record control); 5.3 (quality policy); 5.4.1 (quality objectives); 5.5.1 (responsibility and authority); 6.1 (provision of resources); 6.2 (human resources); 8.2.3 (monitoring and measurement of processes); 8.4 (analysis of data) and 8.5 (improvement).
An integrated audit with ISO 14001 for an environmental management system would also cover 4.1 (general requirements); 4.2 (environmental policy); 4.3.1 (environmental aspects); 4.3.3 (objectives, targets, and programs); 4.4.1 (roles and responsibilities); 4.4.2 (competence and training) 4.4.3 (communication); 4.4.5 (document control); 4.4.6c (operational controls/contractor/supplier management); 4.5.3 (nonconformity, corrective/preventive action); and 4.5.4 (record control).
To ensure that all requirements of an ISO management standard are covered, auditors use a process matrix to plot processes vs. subclauses. Keep in mind that many subclauses will be covered in more than one process, e.g., 4.1 (general requirements) 4.2.4 (control of records); and 8.2.3 (monitoring and measurement of processes).
IS A PROCESS BASED AUDIT MORE DIFFICULT?
A clause-based audit is slightly easier to plan, because the same basic plan can be used to audit many different organizations. However, auditing to the process approach is easier because it follows the natural flow of the organization’s operations and activities. It does take some initial practice and experience to understand how different subclauses apply to each process (and which ones apply to all processes), but once the auditor performs a few audits, it becomes quite simple.
By contrast, a clause-based audit, because it is so narrowly focused on a specific requirement of the standard, in many cases forces the auditor to return to the same process or activity several times to obtain the information and evidence needed. Even if the clause approach is, in theory, easier to plan, all the disadvantages, inefficiencies and nonvalue-added results of a clause-based audit make any difficulty in planning a process-based audit worthwhile. This is particularly true if you keep in mind that after a few audits, it will become easier to plan process-approach audits.
An audit is not necessarily faster or slower using one approach or the other. The key difference is that audits using the process approach make a more effective and efficient use of the time that is available for the audit. Additionally, process-based audits lead to audit findings that are more meaningful to an organization, since the audit is tailored to the company’s processes rather than segmenting the audit to match a checklist of the standard.
RESULTS
Implementing a process-based audit can strengthen an organization’s quality management system, create a more effective audit process, and increase the overall value of the auditing process.
In general, a process-based approach is going to provide better results, that is, you are more likely to find weaknesses in your process. It’s easy to miss key process weaknesses using a clause or checklist approach. For example, when auditing the receiving process, an auditor would focus only on auditing the requirements of subclause 7.4.3 and check if the organization has “established and implemented the inspection or other activities necessary for ensuring that purchased product meets specified purchase requirements.” However, when you follow the process approach, the auditor would find out which specific areas of the activity may have weaknesses such as poor performing suppliers or customer complaints related to a supplier issue. This could easily be missed if the process approach is not used.
PREPARING FOR A PROCESS BASED AUDIT
So how do you get started? First of all, of course, auditors need be trained in the process approach using a combination of classroom training, mock audits, and on-the-job training audits.
When it comes time to performing a real process audit, the auditor will need the organization’s management system manuals that show the organization’s defined processes. This process information will be used to prepare the plan and determine the specific processes to be audited against the applicable subclauses. Auditors should also obtain process and organizational performance information to determine which processes pose the highest risk.
CONCLUSION
A process-based approach makes more sense than a clause-based approach to auditing. Although it requires a bit more planning, a process approach to auditing is more efficient, more logical, and most important, adds more value to the organization. Because the purpose of an internal or external audit is to validate whether your company is running optimally and providing true value for its customers and stakeholders, you want an audit that truly reflects the way your company runs. That is what a process-based audit gives you.
To take process-based auditing a step further, organizations with integrated quality and environmental management systems should be taking advantage of integrated audits. For more information on a process-based approach for integrated audits, attend the webinar “Integrated Auditing Using the Process Approach for Quality and Environmental Management Systems” on Nov. 1, 2013.
First published October 24, 2013 in Quality Digest Daily, an electronic publication from Quality Digest magazine (www.qualitydigest.com).
Bio:
Jorge A. Correa, management services operations manager at TÜV SÜD America, has more than 25 years overall experience in manufacturing and services, including 15 years as an accredited auditor conducting direct third-party audits in automotive, aviation, semiconductors, fabricated metal, plastics, glass, engineering services, general manufacturing, logistical support services, transportation, and business services. Prior to joining TÜV SÜD, Correa was vice president, Latin America Operations, at AQSR International; director, Latin America Operations, Omnex Engineering & Management; supplier QA engineer and service engineer, Ford Motor Co. He speaks four languages and has an MBA in finance and a bachelor’s degree in aeronautical engineering.